Multiple scan engines

Forefront Security for Exchange Server (FSE) provides you with the ability to employ multiple scan engines (up to five) to detect and clean viruses.

Multiple engines provide extra security by letting you draw upon the expertise of various virus labs to keep your environments virus-free. A virus may slip by one engine, but it is unlikely to get past three.

Multiple engines also permit a variety of scanning methods. Forefront Security for Exchange Server integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor's Web site. Links are provided at Microsoft Help and Support.

All the scan engines that FSE integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.

Multiple engines are easy to configure. You can select only the engines you would like to use for a scan job, and then indicate the bias setting. These two settings (both on the Antivirus Settings pane) enable the FSE Multiple Engine Manager (MEM) to properly control the selected engines during the scan job.

MEM uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSE considers the item infected and has the MEM deal with it accordingly.

MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information enables MEM to weight each engine so that better-performing ones are used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and best-performing engines have more influence in the scanning process.

If two or more engines are equally ranked, FSE invokes them by cycling through various engine order permutations.

The bias setting controls how each of the selected engines should be used in order to provide you with an acceptable probability that your system is protected. There is a trade-off between increasing the probability of catching a virus and maximizing your system performance. The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system's performance.

You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your mailbox server, to maximize its system performance. Then, you can use several engines on your Edge or Hub transport servers.

Note:

The bias setting only applies to virus scanning. It is not used in filtering. You must select the policy for each scan (realtime, transport, manual, and quick scan) you configure; it is not global.

There are several possible bias settings. Each scan (other than one with a bias setting of Favor Certainty or Maximum Certainty) independently selects the engines to use.

Maximum Performance

FSE heuristically chooses only one engine from the selected engines, based on recent results. (Results are determined by when the engine or its definitions were last updated, and whether the engine recently incurred any errors.) This option increases system performance but is not the optimal setting for catching viruses since only one engine is used.

Favor Performance

FSE fluctuates between heuristically choosing only one engine from the selected engines and approximately half of the selected engines, based on recent results. (Results are determined by when the engine or its definitions were last updated, and whether the engine recently incurred any errors.) Performance is dependent on the number of engines being used, but in general this setting favors system performance.

Neutral

FSE heuristically chooses from the selected engines, based on recent results. (Results are determined by when the engine or its definitions were last updated, and whether the engine recently incurred any errors.) On average, half of the selected engines are used in scanning any single object, so this setting does not favor system performance over virus catching (and vice versa).

Favor Certainty

Scans with all selected engines that are available. Scans continue with the available engines when one of the selected engines is being updated. Depending on the number of engines that you have selected for each scan job, this option generally increases the probability of virus catching but not at the expense of delays in mail flow. This is the default value.

Maximum Certainty

Scans each item with all of the selected engines. Queues scanning if any selected engine becomes busy, such as during engine updates. Depending on the number of engines that you have selected for each scan job, this option generally increases the probability of virus catching at the expense of system performance.

Assuming you select five engines (the maximum you can use), the following table shows how each of the bias settings uses the engines in virus scanning.

Bias setting

Description

Maximum Performance

Each item is virus-scanned by only one of the selected engines.

Favor Performance

Fluctuates between virus scanning each item with one and three engines.

Neutral

Each item is virus-scanned on average by three engines.

Favor Certainty

Fluctuates between virus scanning each item with three and five engines.